How the Kindle Touch jailbreak was discovered

The Kindle Touch has been rooted! There’s a proof video embedded after the break, but the best part about this discovery is that [Yifan Lu] wrote in-depth about how he discovered and exploited a security hole in the device.

The process begins by getting a dump of the firmware. If you remove the case it’s not hard to find the serial port on the board, which he did. But by that time someone else had already dumped the image and uploaded it. We guess you could say that [Yifan] was shocked by what he found in the disassembly. This a ground-up rewrite compared to past Kindle devices and it seems there’s a lot to be hacked. The bootloader is not locked, but messing around with that is a good way to brick the device. The Javascript, which is the language used for the UI, is not obfuscated and Amazon included many hooks for later plugins. Long story short, hacks for previous Kindles won’t work here, but it should be easy to reverse engineer the software and write new ones.

Gaining access to the device is as easy as injecting some HTML code into the UI. It is then run by the device as root (no kidding!). [Yifan] grabbed an MP3 file, changed its tag information to the HTML attack code, then played the file on the device to exploit the flaw. How long before malicious data from illegally downloaded MP3 files ends up blanking the root file system on one of these?

A lot of lost functionality and added expense just for 3G. I don’t get it either, I think at this point the Kindle line just has enough name recognition that even superior devices have trouble competing with it; not unlike the iDevices, in fact.

Though that is another story entirely. Regardless of his choice of hardware, this is a very clever hack.

Where have we seen a flaw just like this before? hmm, Android 1.0 seems about right… Type “reboot” into an sms message, hit enter, and the phone reboots. Sounds pretty close to this… Way to go Amazon! :clapping monkey: